Note that, in the font that ZoneLabs uses in the screen copy just above, a bold capital I is identical to a bold lower case L. LSASS.EXE is a normal Windows component. ISASS.EXE is a trojan and keylogger. Whoever wrote that malware took advantage of ZoneLab's choice of fonts. However, we found no ISASS.EXE on the infected computer that we checked.

From looking at the behavior it is evident that ZoneAlarm does not see the entire infection. Since it comes back again and again even after files have been quarantined, it is obvious that the real infection is not being eliminated.

When the GLxxx.tmp files are deleted, they return after the next re-start. The GLxxx.tmp files have many dates, even though they have been newly created.

ZoneAlarm reports again and again that "BroadCastPC" and "Virtual Bouncer" have been quarantined.

Here are some of the files in the temp folder. (To go to the temp folder, in DOS do CD %user% and press the ENTER key.)

This part of a sentence from the Prevx1 web page accurately describes our experience:

"This [.TMP] File Type uses the file names GLB1.TMP and GLB6B.TMP and at least 65 other file names, the latest we have seen is GLB8B.TMP. It has a file size of 71,680 bytes and is found in the folder [%TEMP%\]"

In the file list above, the malware is not active, apparently, and there is no file with a size of 71,680 bytes. Note that not all the files have the same date, even though they were created within minutes of each other.

The actual operation of the malware seems to occur only under one user name, one which in this case has extremely limited rights. The malware does not seem active when logged in under a user name with Administrator rights.